Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Top command causing issues with stats commands

alaking
Explorer
‎10-30-2015 11:34 PM

I am trying to audit bandwidth usage. The following search works as expected, except the URLS flood the URL field. I want the top 5:

Search here
| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal 
| head 10

When I try to limit the domains listed using "top" like this:

Search here
| top limit=5 url by user
| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal 
| head 10

The URL list is limited to 5 results per row, the problem is my sent/received/transferred fields go blank. And when I try putting top further down like this:

| stats list(url) as URL sum(sent) as SentTotal sum(received) as ReceivedTotal by user
| top limit=5 url by user
| eval Transferred=ReceivedTotal+SentTotal
| table user URL SentTotal ReceivedTotal Transferred
| sort -ReceivedTotal, -SentTotal 
| head 10

I get "No results found."

I am using Verbose mode and in every instance, I can see events on the events tab of the search window. I'm wondering if I am using top incorrectly.
Thanks is advance for reading and for any help you can provide.

0 Karma
Reply

acharlieh
Influencer
‎10-31-2015 05:20 AM

This sounds like a job for the still undocumented multireport offhand something like this:

... | multireport 
         [top limit=5 url by user]
         [stats sum(sent) as SentTotal sum(received) as ReceivedTotal by user]
    | stats list(url) as URL values(*Total) as *Total by user
    | eval Transferred=ReceivedTotal+SentTotal
    | table user URL SentTotal ReceivedTotal Transferred
    | sort 10 -Transferred

So what's going on? Using multireport we generate statistics for your two transforming commands separately, we then pull the results back together using stats, and go on our merry way.

I should note that you can use trickery with appendpipe, eval, and where to get similar results without venturing into the undocumented parts of Splunk too it's just more verbose.

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...